Primary

Context

RAGFlow SQL Injection Vulnerability

Vulnerability

A SQL injection vulnerability exists in RAGFlow versions through 0.15.1. The issue arises in the ExeSQL component, which directly transmits extracted SQL statements to the database, allowing for potential manipulation of the SQL query and execution of arbitrary SQL commands.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

The vulnerability can be reproduced by inputting a crafted SQL statement that exploits the ExeSQL component's direct transmission of SQL queries to the database. This can be done by manipulating the input to include SQL injection payloads, which the application will then execute against the database.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

RAGFlow SQL Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

infiniflow ragflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating